Release v0.54.5 · navidrome/navidrome · GitHub
This is an important security fix. Please update ASAP. Security Advisory: GHSA-c3p4-vm8f-386p Changelog Security updates 287079a: sec(subsonic): authentication bypass in Subsonic API with non-exis...
This is an important security fix. Please update ASAP. A proper CVE advisory will be published soon and will be linked here.
This seems quite serious, I'll definitely be reading the CVE once it's published. Luckily, I noticed the github notification of the release after only a couple of hours.
edit: I read the advisory and it wasn't too bad in terms of attacker access:
Impact
An attacker can use any non-existent username to bypass the authentication system and gain access to various read-only data in Navidrome, such as user playlists. However, any attempt to modify data fails due to insufficient permissions, limiting the impact to unauthorized viewing of information.
I wish the web ui supported jukebox mode